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(57)Abstract: 

PROBLEM TO BE SOLVED: To execute a task for a 
user by executing a user task specified in a newly 
prepared address space. 

SOLUTION: Demon application 208 prepares new 
environment after verifying a user ID 214 and 
authenticating a password 216. A kernel span routine 
226 in a kernel layer 204 acquires control and generates 
a new user task layer or address pace 206. A POSIX 
permission set value is inquired of a security data base 
232 in the kernel layer 204 and obtained. The new 
address space 206 is initialized directly by using a group 
ID made to correspond to a user name 214 in the data 
base 232 and the user ID and group ID of the new 
address pace 206 set equal to the user ID. A program 

image 238 corresponding to the user task 218 is loaded in the address pace 206 and the 
control is passed to the program image to execute the user task. 







■ t 


T 





http://wwwl 9jpdl.inpit.go.jp/PAl/result/detaiymain/wAAAofaGiyDA41 0 1 6 1 933P1 .htm 7/1 5/2008 



Searching PAJ 



Page 2 of 2 



http://wwwl 9.ipdl .inpit.go.jp/PAl/result/detail/main/wAAAofaGiyDA41 01 6 1 933P1 .htm 7/1 5/2008 



JP,10-161933,A [CLAIMS] 



Page 1 of 3 



* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

IThis document has been translated by computer. So the translation may not reflect the 
original precisely. 

2.**** shows the word which can not be translated. 
3. In the drawings, any words are not translated. 



CLAIMS 

[Claim(s)] 

[Claim 1]. A demand specifies a user's identity and a server system has an operating kernel. In 
a server system with which a daemon process supervises said demand from said user who 
asks for execution of a specified user task, Are the method of performing said task instead of 
said user using suitable security environment for said user, and if the (a) daemon process 
receives said demand from said user, [1] A step which sets up an environment variable 
according to said identity specified by said demand, [2] A step which takes out a system call to 
said operating system kernel, and performs said specified user task in a new address space, 
(b) If said operating system kernel receives said system call from said daemon process, [1] A 
step which creates an address space new for said specified user task, [2] a step which creates 
security environment according to said environment variable for said specified user task, and 
[3] - a method containing a step which starts said specified user task in said new address 
space. 

[Claim 2]A method according to claim 1 , wherein said operating system kernel is a POSIX 
conformity operating system kernel. 

[Claim 3]A method according to claim 1, wherein said system call is a spawn() system call. 
[Claim 4]A method according to claim 1 which said user has a user name and is characterized 
by said identity containing said user name. 

[Claim 5]A method according to claim 4, wherein said environment variable is set up equally to 
said user name. 

[Claim 6]Said new address space and said user name have the user ID related with it, 
respectively, A method according to claim 5, wherein said Step (b) [2] which creates said 
security environment sets up equally to user ID of a user name specified by said environment 
variable user ID of said new user address space. 

[Claim 7]A method of judging user ID of said user name by accessing a security database 
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according to claim 6. 

[Claim 8]Said new address space and said user name have the group ID related with it, 
respectively, A method according to claim 5, wherein said Step (b) [2] which creates said 
security environment sets up group ID of said new address space equally to group ID of a user 
name specified by said environment variable. 

[Claim 9]Said server system with which a daemon process supervises said demand from said 
user who asks for execution of a specified user task characterized by comprising the following 
whose server system a demand specifies a user's identity and has an operating kernel. 
Are a device which performs said task instead of said user using suitable security environment 
for said user, it is related with the (a) aforementioned daemon process, and a receipt of said 
demand from said user is answered, [1] A means to set up an environment variable according 
to said identity specified as said demand, to take out a system call to the [2] aforementioned 
operating system kernel, and to perform said specified user task in a new address space, 
(b) It is related with said operating system kernel, and a receipt of said system call from said 
daemon process is answered, [1] creating an address space new for said specified user task - 
[2] - creating security environment according to said environment variable for said specified 
user task - [3] - a means to start said specified user task in said new address space. 

[Claim 10]The device according to claim 9, wherein said operating system kernel is a POSIX 
conformity operating system kernel. 

[Claim 1 1]The device according to claim 9, wherein said system call is a spawn() system call. 
[Claim 12]The device according to claim 9 which said user has a user name and is 
characterized by said identity containing said user name. 

[Claim 13]The device according to claim 12, wherein said environment variable is set up 
equally to said user name. 

[Claim 14]Said new address space and said user name have the user ID related with it, 
respectively, The device according to claim 13 containing a means by which said means (b) [2] 
which creates said security environment sets up user ID of said new address space equally to 
user ID of a user name specified by said environment variable. 

[Claim 15]The device according to claim 14 judging user ID of said user name by accessing a 
security database. 

[Claim 16]Said address space and said user name have the group ID related with it, 
respectively, The device according to claim 13, wherein said Step (b) [2] which creates said 
security environment sets up group ID of said new address space equally to group ID of a user 
name specified by said environment variable. 

[Claim 17]. A demand specifies a user's identity and a server system has an operating system 
kernel. In said server system with which a daemon process supervises said demand from said 
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user who asks for execution of a specified user task, It is the machine-readable program 
storage which carries out to concreteness a program which can be executed with machinery 
which performs a method step which performs a task instead of said user using suitable 
security environment for said user, If the (a) aforementioned daemon process receives said 
demand from said user, said method step, [1] A step which sets up an environment variable 
according to said identity specified as said demand, [2] A step which publishes a system call to 
said operating system, and performs said specified user task in a new address space, (b) A 
step which creates an address space where it is new for a user task by which [1] 
aforementioned specification was carried out when said operating system kernel receives said 
system call from said daemon process, [2] a step which creates security environment 
according to said environment variable for said specified user task, and [3] - program storage 
containing a step which starts said specified user task in said new address space. 
[Claim 18]The program storage according to claim 17, wherein said operating system kernel is 
a POSIX conformity operating system kernel. 

[Claim 19]The program storage according to claim 17, wherein said system call is a spawn() 
system call. 

[Claim 20]The program storage according to claim 17 which said user has user ID and is 
characterized by said identity containing said user ID. 

[Claim 21]The program storage according to claim 20, wherein said environment variable is set 
up equally to said user ID. 

[Claim 22]Said new address space and said user name have the user ID related with it, 
respectively, The program storage according to claim 21 containing a step to which said Step 
(b) [2] which creates said security environment sets user ID of said new address space equally 
to user ID of a user name specified by said environment variable. 

[Claim 23]The program storage according to claim 22 judging said user ID of said user name 
by accessing a security database. 

[Claim 24]Said new address space and said user name have the group ID related with it, 
respectively, The program storage according to claim 21 containing a step to which said Step 
(b) [2] which creates said security environment sets group ID of said new address space 
equally to group ID of a user name specified by said environment variable. 



[Translation done.] 



http://www4.ipdl.inpit.go.jp/cgi-bin/tran_web_cgi_ejje?atw_u=http://www 7/1 5/2008 



JP,10-161933,A [DETAILED DESCRIPTION] 



Page 1 of 9 



* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1 .This document has been translated by computer. So the translation may not reflect the 
original precisely. 

2.**** shows the word which can not be translated. 
3. In the drawings, any words are not translated. 



DETAILED DESCRIPTION 

[Detailed Description of the Invention] 
[0001] 

[Field of the lnvention]This invention relates to the method of creating a new operating unit by 

the POSIX environment using a new user identity and a suitable privilege. 

[0002] 

[Description of the Prior Art](Work is distributed by two or more machinery by which 
interconnection was carried out) A distributed computing system is built based on a 
client/server model in many cases. In this model, a client process (or only "client") receives a 
server process (or only "server"), In the case of a print server, printing of a file, and in the case 
of a file server, the demand for which it asks so that specified services, such as execution of 
application, may be performed in the case of extraction of a file, memory, or an application 
server is advanced. Although it can exist on the physical machinery with same client process 
and server process, as for both, existing on different machinery is common, and it is so also in 
the following explanation. A server is used also in the network of a wide area from those which 
is local area networks (LAN) etc., such as others and the Internet. One class of the Internet 
server treated especially on these specifications is a server which provides service for World 
Wide Web. World Wide Web is a meeting of the Internet site which provides graphical contents 
("web page") and serves others according to a HyperText Transfer Protocol (HTTP). 
[0003]Servers, such as a server on World Wide Web (or only "web"), function with an 
operating system, and an operating system manages a system resource on the machinery with 
which a server exists, and offers base system service. These operating systems are a UNIX 
operating system or an operating system of a UNIX base in many cases. Various efforts to 
define the set of the common service provided by such a system by rapid increase of various 
UNIX operating systems have been made. Such one efforts are the 1003.IEEE POSIX1 first 
specification to be announced in 1988, and a supplement of 1003.1 d IEEE POSIX etc. (it 
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collects below and referred to as "POSIX"). 

[0004]Access to the file by a user, etc. is controlled by a POSIX conformity system by 
associating the user ID and group ID which specify a user's identity as each process and each 
file. The three triplet fields are also associated and each field changes from the permission bit 
of the triplet called a rwx bit to each file. These three fields define access permitted to the 
owner of a file, other users in an owner's group, and other users that do not go into the owner's 
group, respectively. Within three bit fields each, it specifies whether r bit can perform reading 
of a file, and specifies whether w bit can do the writing of a file, and it is specified whether x bit 
can perform execution of a file. It is judged whether when a process requires access to a file, 
the permission bit specified as a process, the user ID of a file, and group ID for the file can 
certainly be inspected, and access which the user who is performing the process demands can 
be performed. This access control procedure is common knowledge in this technical field. 
"Stevens (Stevens) W.R. UNIX. It is indicated to reference works, such as Network 
Programming" (1990) and A.S. Tanenbaum's (Tanenbaum) "Modern 
OperatingSystem" (1992). 

[0005]ln order to realize such access control in a server environment, a POSIX conformity 
operating system, The capability of the server which can create the new security environment 
which can access 1 set of resources in which a new operating unit differs from its new 
operating unit using a new user identity must be supported. The work of this type has been 
conventionally done by the background program called a "demon" within a server system. 
Generally, a demon processes a demand instead of the user who has a subset of a demon's 
authority, and performs a task. In order to maintain the security of a system, a task must be 
performed under a new operating unit using the user's authority. Creation of these new 
operating units is treated using the POSIX service to which functions, such as fork(), setuid(), 
setgid(), and exec(), and others relate. 

[0006]A demon's example is a Web server on a POSIX system. Such a Web server is a 
program which supervises that a user hands in a port the demand which takes out a document 
from a POSIX file system. In order to perform this, the Web server must verify a user name 
and a password first. Next, a Web server creates a new address space using a fork() function, 
and provides the environment where it is separate for the demanded user task. If it goes into a 
new address space, a Web server will create right security environment using various POSIX 
functions, such as getgroups() and setgroups(), After setting up right supplementary group ID, 
user ID must be set to right group ID using setgid() and setuid(). A supplementary group, group 
ID, and user ID form the foundation of POSIX permission. Finally a Web server performs the 
shell script which performs exec() of shell and gains the demanded document. Seeing on the 
whole, this is the long and complicated process of requiring a lot of processing overheads. 
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[0007] 

[Problem(s) to be Solved by the lnvention]spawn() service is a POSIX function which combines 
fork() service and exec() service and is made one call (indicated to 1003.1 d IEEE POSIX). 
Therefore, POSIX application, Instead of performing a new program image, after forking a new 
address space, the new program can only be created in a different address space, and the 
overhead which copies the address space of a requestor side can be saved. However, the 
problem in this case is that there is no method of changing a user identity, before a new 
program image gains control at present, without changing the demon's itself security 
environment. Therefore, if it is going to create a shell script in order to gain the document in 
which the demon was demanded, Access to a POSIX file system will be performed under a 
demon's user identity, and POSIX permission of the user who is demanding the document by it 
may be replaced. Since spawn() cannot be used, demon application must be provided with the 
excessive troublesome software performed by a user task process layer as mentioned above. 
[0008] 

[Means for Solving the Problem]Generally, in a server system with which a daemon process 
supervises a demand from a user who asks to perform a specified user task, this invention 
relates to a method and a device which perform a task instead of a user using suitable security 
environment for a user. If a demand is received from a user, a daemon process sets up an 
environment variable according to a user identity (for example, user name) specified by the 
demand, and receives an operating system kernel, A system call which performs a specified 
user task in a new address space is taken out. An operating system kernel can be made into a 
POSIX conformity kernel, and a system call can be made into a spawn() system call in that 
case. If a system call is received from a daemon process, an operating system kernel, An 
address space new for a specified user task is created, new security environment is created 
according to an environment variable for a specified user task, and a user task specified in a 
new address space is performed. 

[0009]Specifically, according to this invention, the above-mentioned fault of a Prior art is 
canceled by creating a new environment variable (USERNAME). If this environment variable is 
specified, a called program will gain control by a spawn() function using right POSIX 
permission. In order to realize this, after changing a spawn() function, and a spawn() function's 
recognizing this new environment variable and verifying that it is an effective user name, initial 
creation of an address space new for a specified user name is made to be performed. If it 
performs using a new user identity, the remaining POSIX permission will come to hand from an 
entity of the user included in a security data base. If initial setting of a new address space and 
a task is completed, a spawn routine will start the new program image by the present security 
environment. 

[0010]This invention provides a method of creating security environment for a user task 
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process without the necessity of adding change to daemon process environment. It is 
necessary to perform no portion of demon application in a user task process (if that is right, 
before passing control to a user task program image, change of user task process permission 
will be needed). It can ** that this invention replaces use of conventional fork() and exec() by 
use of a spawn() function, and simplification and performance improvement which a spawn() 
function brings about intrinsically by it are realized. 
[0011] 

[Embodiment of the lnvention] Drawing 1 is an example of the computer systems 100 (physical 
machinery is included) incorporating the demon of the conventional embodiment, and the 
relation between various software layers which perform the task demanded for the specific 
user is shown. A demon process layer or the address space 102, an operating system (OS), a 
kernel layer or the address space 104, and the user task process layer or the address space 
106 created by carrying out like the after-mentioned is included in these layers. Physical 
machinery can be made into IBM S/390 processors, such as S / 390 parallel enterprise server, 
for example, and the kernel layer 104 can be made into the IBM OS/390 operating system 
which has a POSIX conformity OpenEdition component. 

[0012]There is the demon application 108 including the software which supervises the port or 
the communication line 110 which operated instead of the user and was combined with the 
remote client (not shown) in the demon process layer 102. The demon application 108 accepts 
the demand 112 containing the identifier 118 which specifies the user name 1 14, the password 
116, and a task as an input via the port 110 (Step 120). 

[0013]The user name (or login name) 114 is an alphanumeric-characters sequence used in 
order that it may be related peculiar to a user and a user may make the system 100 identify 
oneself. The integer user ID related with the record 136 of each user name 1 14 in the security 
database 134 which accompanies the system 100 peculiar to a user name, A user's besides 
the integer group ID associated peculiar to a user name and the list of supplementary groups 
related with the user name password and other relevant information are memorized. In order to 
attest a user, the demon application 108 accesses the record 136 corresponding to the 
specified user name 114 in the security database 134, and investigates the password included 
in the record. There is the record 136 of the specified user name 1 14, and when the password 
in a record is in agreement with the password 118 attached to the demand, it is attested with a 
claimant being a user which the claimant is calling itself. 

[0014]The demon application 108 verifies the user name 1 14, and after it attests the password 
1 16, it must prepare new environment so that the new program image which performs the 
demanded task may be performed. Therefore, the demon application 108 takes out a fork() 
system call to the kernel layer 104, and creates a new process (Step 122). 
[0015]A fork() system call carries out the trigger of the kernel fork routine 124 in the kernel 



http://ww4.ipdl.inpit.go.jp/cgi-bin/tran_web_cgi_ejje?atw_u=htlp%3A%2F%2Fww 7/15/2008 



JP,10-161933,A [DETAILED DESCRIPTION] 



Page 5 of 9 



layer 104, and makes control gain. If control is gained, the fork routine 124 will create and 
initialize the new address space 106 (Step 126), and will copy a memory attribute, security 
attributes, and a processes run attribute to the user task process layer 106 from the demon 
layer 102 (Step 128). 

[0016]When it completes normally, it is made for the fork() routine 124 to become parents of 
the newly created child process layer 106 in which the process layer 102 with the demon 
application 108 has the demon application 130. The sign in which it is shown from the fork() 
routine 124 by which process layer those demon applications are performed by the demon 
applications 108 and 130 is returned. In in the parent process layer 102, it waits to act as a 
loop back of the demon application 108 in the layer, and to send work further from the port 110 
(Step 129). 

[0017]ln in **** 106, the demon application 114 in the layer sets up the security attributes of the 
user name 114 specified by the demand. 

[0018]Some POSIX functions are called and the right supplementary group, group ID, and user 
ID of **** 106 are set up. These calls access the data of the requestor-side user in the security 
database 134. The child demon application 130 issues a getpwnam() call first, and accesses 
the security database 134, and, specifically, the user ID and group ID corresponding to the 
user name 1 14 are judged (Step 132). The application 130 issues a getgroups() call next, and 
accesses the security database 134, and the supplementary group corresponding to the user 
name 114 is judged (Step 138). 

[0019]Use this information, the child demon application 130 issues a setgroups() call, and the 
supplementary group of **** 106 is set as the supplementary group corresponding to the user 
name 1 14 (Step 140), A setgid() call is issued, the group ID of **** 106 is set as the group ID 
corresponding to the user name 1 14 (Step 142), a setuid() call is issued, and the user ID of 
**** 106 is set as the user ID corresponding to a user name (Step 144). 
[0020]lf right POSIX security environment is set up as mentioned above for a new user, the 
demon application 1 14 will take out an exec() system call, using the specified user task 
identifier 1 18 as a parameter (Step 146). By this function, the kernel exec routine 148 
reinitializes the address space 106, eliminates a memory location, sets an execution 
environment to right process security (Step 150), and passes control after that to the new user 
task program 154 (Step 152). 

[0021 ]ln many POSIX conformity systems, such as the IBM OS/390 operating system with 
OpenEdition expanded function. In order to change the user identity within a user process, 
there is disadvantage on the serious performance about the excessive call performed to a 
security database. In this conventional method, the demon cannot use spawn() service of 
POSIX, therefore must be made to perform a part of demon application according to a child 
process. 
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[0022] Drawing 2 is a figure showing the example of the computer systems 200 (physical 
machinery is included) incorporating this invention, and the relation between various software 
layers which perform the task demanded for the specified user ID is illustrated. A demon 
process layer or the address space 202, an operating system (OS), a kernel layer or the 
address space 204, and a user task (when created) process layer or the address space 206 is 
included in these layers. 

[0023]There is the demon application 208 including the software which supervises the port or 
the communication line 210 combined with the remote client (not shown) in the demon process 
layer 202. The demon application 208 accepts the client request 212 which contains the user 
ID 214, the password 216, and the identifier 218 of the specific task to perform as an input via 
the port 210 (Step 220). 

[0024]After the demon application 208 verifies the user ID 214 and attests the password 216, it 
prepares new environment so that the new program image which performs the demanded task 
may be performed. In order to perform this, the demon application 208 is first set as the user 
name 214 of the demand 212 which processes the environment variable USERNAME (Step 
222). Next, the demon application 208 takes out a spawn() system call to the kernel layer 204, 
and creates a new process (Step 224). A spawnQ system call passes the task identification 
218 as a parameter, and passes the user name 214 as the environment variable USERNAME. 
Next, it acts to the head of a routine as a loop back of the demon application 208, and it 
obtains work further (Step 236). 

[0025]By a spawn() system call (Step 224), the kernel spawn routine 226 in the kernel layer 
204 gains control. The spawn routine 226 will create a new user task layer or the address 
space 206 first, if control is gained (Step 228). 

[0026]Next, it refers for the spawn routine 226 to the security database 232 in the kernel layer 
204, and it obtains a required POSIX permission preset value (Step 230). Next, right security 
permission is used, Namely, the user ID and group ID of the new address space 206 which 
were set up equally to the group ID and user ID which were matched with the user name 
(specified as the environment variable USERNAME) 214 in the database 232 are used, The 
new address space 206 is initialized directly. 

[0027]At the end, the kernel spawn routine 226, The program image 238 corresponding to the 
user task (passed as a parameter by the demon application 208) 218 specified by the demand 
212 is loaded to the address space 206, Control is passed to the program image and a user 
task is performed (Step 234). 

[0028]ln order to avoid the improper use by a remote user, it is necessary to restrict the new 
environment variable USERNAME only to an authorized user. A privilege required to use this 
function must be equivalent to a setuid() function. (Demon application is usually so like) When 
operating as a superuser (user ID =0) with the right to access with the unrestricted demon 
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application 208, the demon application 208 will have required authority. 
[0029]As mentioned above, this invention provides the method of creating the security 
environment for a user task process having no necessity of adding change to daemon process 
environment, and without the necessity of performing every portion of demon application within 
a user task process. This invention enables it to replace a conventional fork() function and 
exec() function with a spawn() function, and the simplicity and performance enhancement with 
which a spawn() function is intrinsically provided by it are realized. 

[0030]Probably, various corrections are known if it is a person skilled in the art. Probably, it will 
be clear about this invention to be a system of a UNIX base and that it is usable also with other 
systems in this invention although the context of the POSIX conformity system specifically 
explained as mentioned above. 

[0031]As a conclusion, the following matters are indicated about the composition of this 
invention. 

[0032](1). A demand specifies a user's identity and a server system has an operating kernel. In 
the server system with which a daemon process supervises said demand from said user who 
asks for execution of the specified user task, Are the method of performing said task instead of 
said user using the suitable security environment for said user, and if the (a) daemon process 
receives said demand from said user, [1] The step which sets up an environment variable 
according to said identity specified by said demand, [2] The step which takes out a system call 
to said operating system kernel, and performs said specified user task in a new address 
space, (b) If said operating system kernel receives said system call from said daemon process, 
[1] the step which creates an address space new for said specified user task, and [2] - with 
the step which creates security environment according to said environment variable for said 
specified user task. [3] A method containing the step which starts said specified user task in 
said new address space. 

(2) A method given in the above (1), wherein said operating system kernel is a POSIX 
conformity operating system kernel. 

(3) A method given in the above (1), wherein said system call is a spawn() system call. 

(4) A method given in the above (1) which said user has a user name and is characterized by 
said identity containing said user name. 

(5) A method given in the above (4), wherein said environment variable is set up equally to 
said user name. 

(6) Said new address space and said user name have the user ID related with it, respectively, 
A method given in the above (5), wherein said Step (b) [2] which creates said security 
environment sets up equally to the user ID of the user name specified by said environment 
variable the user ID of said new user address space. 

(7) A method given in the above (6) judging the user ID of said user name by accessing a 
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security database. 

(8) Said new address space and said user name have the group ID related with it, respectively, 
A method given in the above (5), wherein said Step (b) [2] which creates said security 
environment sets up the group ID of said new address space equally to the group ID of the 
user name specified by said environment variable. 

(9) . A demand specifies a user's identity and a server system has an operating kernel. In said 
server system with which a daemon process supervises said demand from said user who asks 
for execution of the specified user task, Are a device which performs said task instead of said 
user using the suitable security environment for said user, it is related with the (a) 
aforementioned daemon process, and the receipt of said demand from said user is answered, 
[1] Set up an environment variable according to said identity specified as said demand, [2] A 
means to take out a system call to said operating system kernel, and to perform said specified 
user task in a new address space, (b) It is related with said operating system kernel, and 
answer the receipt of said system call from said daemon process, [1] Create an address space 
new for said specified user task, and create security environment according to the [2] 
aforementioned environment variable for said specified user task, [3] A device containing a 
means to start said specified user task in said new address space. 

(10) A device given in the above (9), wherein said operating system kernel is a POSIX 
conformity operating system kernel. 

(11) A device given in the above (9), wherein said system call is a spawn() system call. 

(12) A device given in the above (9) which said user has a user name and is characterized by 
said identity containing said user name. 

(13) A device given in the above (12), wherein said environment variable is set up equally to 
said user name. 

(14) Said new address space and said user name have the user ID related with it, respectively, 
A device given in the above (13) containing a means by which said means (b) [2] which 
creates said security environment sets up the user ID of said new address space equally to the 
user ID of the user name specified by said environment variable. 

(15) A device given in the above (14) judging the user ID of said user name by accessing a 
security database. 

(16) Said address space and said user name have the group ID related with it, respectively, A 
device given in the above (13), wherein said Step (b) [2] which creates said security 
environment sets up the group ID of said new address space equally to the group ID of the 
user name specified by said environment variable. 

(17) . A demand specifies a user's identity and a server system has an operating system 
kernel. In said server system with which a daemon process supervises said demand from said 
user who asks for execution of the specified user task, It is the machine-readable program 
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storage which carries out to concreteness the program which can be executed with the 
machinery which performs the method step which performs a task instead of said user using 
the suitable security environment for said user, If the (a) aforementioned daemon process 
receives said demand from said user, said method step, [1] The step which sets up an 
environment variable according to said identity specified as said demand, [2] The step which 
publishes a system call to said operating system, and performs said specified user task in a 
new address space, (b) The step which creates the address space where it is new for the user 
task by which [1] aforementioned specification was carried out when said operating system 
kernel receives said system call from said daemon process, [2] the step which creates security 
environment according to said environment variable for said specified user task, and [3] - the 
program storage containing the step which starts said specified user task in said new address 
space. 

(18) Program storage given in the above (17), wherein said operating system kernel is a 
POSIX conformity operating system kernel. 

(19) Program storage given in the above (17), wherein said system call is a spawn() system 
call. 

(20) Program storage given in the above (17) which said user has user ID and is characterized 
by said identity containing said user ID. 

(21) Program storage given in the above (20), wherein said environment variable is set up 
equally to said user ID. 

(22) Said new address space and said user name have the user ID related with it, respectively, 
Program storage given in the above (21) containing the step to which said Step (b) [2] which 
creates said security environment sets the user ID of said new address space equally to the 
user ID of the user name specified by said environment variable. 

(23) Program storage given in the above (22) judging said user ID of said user name by 
accessing a security database. 

(24) Said new address space and said user name have the group ID related with it, 
respectively, Program storage given in the above (21) containing the step to which said Step 
(b) [2] which creates said security environment sets the group ID of said new address space 
equally to the group ID of the user name specified by said environment variable. 
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* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1 This document has been translated by computer. So the translation may not reflect the 
original precisely. 

2.**** shows the word which can not be translated. 
3.ln the drawings, any words are not translated. 



DESCRIPTION OF DRAWINGS 

[Brief Description of the Drawings] 

[Drawing 1] lt is a figure showing the computer systems incorporating the conventional 

embodiment which creates the security environment for a users request task. 

[Drawing 2] lt is a figure showing the computer systems which use the nest of this invention 

which creates the security environment for a users request task. 

[Description of Notations] 

200 Computer systems 

202 Demon process layer 

204 Kernel layer 

206 User task process layer 

208 Demon application 

210 Port 

214 User name 

226 Kernel spawn routine 

232 Security database 

238 User task 
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DRAWINGS 



[Drawing 1] 
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[Drawing 2] 
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fHiiJi:^-^- • ^n-bAitiaopSSitifiHSif 
4Citctt£) , K*«Jf o rk () 

iexec O ©ttffi* spawn u HttogJfi-cE: 

jut*. 

[0 0 1 1] 

i^m<o^mmm] m i a, maaxmamf 1 -* 

>t|*i^Ji:3>e a - * - ->A5-A i o o («H« 

M« so ) ©put-* o , -if ©fcacxes* s n 
snci'i. - 7 0-feaJS* 

fc«*7 K UASIH l 0 2 L U- 9- A > V • i'A^ 
.i» (OS) *fctf*7-**ll*fclt7 K UA3M 1 0 4 

*aft4fi:l*7 K UXSn 1 0 6 £#S*n&. ttSiia 

tti*. fc 4 ^ttTS/S 9 0 3t?i|J- > Jf-7? -fX-tf- 
."fSt IBM S/3 9 0 70 -b ft Z£ t#V 
ft. *-*jUm 0 4ttPOS i XiSli&O p e n E d i 
t i on 4 IBM 0 S/3 9 0 *"< i- 

[ 0 0 12] ■ -futxm 1 0 2 Kit. a— ir< 
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^3hfc#- h t tc\mmm» 1 1 o 6 w t 

■5 * rt40f-t > ■ 7~f*) ir-ts s>lt> 8;5i* 
4. 7V'Ji— i'3>l OSii, A/JiO-C 

i— !^'«1 14i-'<A'?- Ki 1 §L$*i>&m.-*Z> 

1 1 8 i*stfs* 1 1 2 n i o t/ro 

[0 0 1 3] {*ft:ltoy^^«) !l4(i, 

io >>ata i o o Kfifirr &-tz=f j'jf ^ • ^- * 

"-^1 3 4P9C#J--1f« 1 1 4fiDl/a-Kl 3 6 
(C a— »'4S<cmrK:iHa^W&*«tei»i'-*' I D 
i . S**KBW»CMil^W yjU- ^ i D 

^ . -i < a •? - k KDrectXicMMIHBimtt 
Sfk*. i-1^'%lgsE?4ft:ii!>iC, 7 yn- 

-f3f>l(!8«-b+a'Jf-^ • f->^-Al 34rt 
OffeSSnfcs-iT'* l 14«WiST4l^-Kl36 

20 Si-<*. iSS3nfc^-1f«l 14®b3-Kl36AS 

9- Kl 1 8 4-St^4«S, **^i*t-W5?*^@ 
«: L "C t* 4 a — T *> * 4 f«SE 5 A & . 
[ 0 0 1 4 ] f-t > ■ 7 ir-f s > 1 0 8 flti- 
t^g 1 1 4 *feliEO, 7- K 1 1 6*SaUft:ft. 

l', . f * > • 77' U ir-i- s > 1 0 8 It 

*-*JU» 1 0 4K f o r k ( > i'Zf-A - 

[0015] fork {) • 3-.'Ult. 

.'US 1 0 4t*-*A f o r k.^-?> 1 2 4* h »J # 
0-Cl«l*«ftSit«. ? o r K.'U-^> 1 24i**Uai 

tie u*7 Kuxan i o 6*f%>su-ciga3 

3K£l> (Afv7*!26) . f- J E>ltl0 2*»6i- 
f • if A > 7-qtAi l 0 6 lCl21ffilKii, -b* » 'J r 

128) . 

[0 0 16] E^tc^T-rat, fork {) >l-*> 
40 1 2 4 77 L» V 3 > 1 0 8 *»-37P 
■b^» 1 0 2 #. • 77'Jlr- { /3 >\ 30* 

i#-PWfe^fpB£3nfc^^"a-bXJl 1 0 6<D«tea&J: 
^Kf*. f o r k () 2 43^*=>, 

- 77*'J 7 -^ ? > 1 0 8 5.0' 1 3 0«Ctn&©?'-* 

> • 77 u >3»t©7P-bx!iT:-3|?73nt:^ 

■t©!irt©r -*> ■ 7 7* 'J Jr-i's > 1 0 8i*^-7" 
■-•<'/i'L-C. tf-H 1 0*%S*iKfl^*4g#,nf 
<4©4f#'3 (^;71 29) . 

so [ 0 0 1 7 ] 1 0 e -e ©art©? 1 - * > 
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- 7 7*'J i--i's> 1 ! 4i*S*r1g«Snfc^-U"* {ftsESttfctBSii) i— !f • • 7a**m*tc 

lUW+^'f^ ffttCWtr «. «*7 K U AM £ 0 6 t#s*n*. 

[ 0 0 1 8 1 <,» < -?*©PO S i XMbPffEXiitdti. [ 0 0 2 3 ] > - 7*cr-b AJS2 0 2 Kit. iifcs * 

TBI 0 6OEl/t*»ay*-'3 f ty*-^l Dti- 7 4 7 >h O^TT) KMS^tt**-- h sfcuaa 

-fi Di^aKE^n*. cn*bfl>2-Ai±, -tz*,'jr mmz i o«tw&v7 h9*7tatr^-*> ■ r 

^•f-^-X!34 |^©»*«U-lJ , ©f c - *K7 7" 'J *- f a > £ 0 8 ■ 77" !f {r-S/ 

6. JlfWKlt. tf-^-T^'J^-fs »:/208l*. A^il'C^-tf i D£ 1 44^*9- 

> 1 3 0 liSrg e t p w n a m { ) K2 1 6 £;£ttT&*T*©*A fWi&S'l^ 2 1 8 

*» | jt^j t -**s-ai3 4K7mu "»■ tf*-?-f7>h»*2 1 2**-h2 i o«rU-c*w 

« 1 1 4 KftfcT I D i ?A-7 ! DtMKT 10 Atl* < Ar •> 7*2 2 0 > . 

4(Xf?7l32). 7 7*'Ji-i.' S >! 3 0ttXiC [ 0 0 2 4 ] •*■"-*> ■ 77*'J 9 >2 0 84*, a. 
rttrroupf ( > :a-Jl.*flUt/C**» 'J ■ —If I D 2 1 4 fcfcSEl/. K 2 1 6 tHTELrfc 
r-jr-*-Al 3 4lC7*'-feAl,, 1 1 4Ktt ft SS*«*ttfci-A * • V* , - 
^ST*nEyA-7-.S:*lli&r■r* (^ ? 7 !3 8 ) . s>t«?W*J:5(C*U»IKI*dHir&. Ch^« 
[ 0 0 19] C m#&m OT, ff-t>«7^ 'J fctOfc , - 77" ij !/ g > 2 0 8 |« T. if. 
ir-i's>l30liset groups {) a-**ffl 9aEUUSEHNAMEt«IT*li*2 1 2©a— !»■ 

■yc*« 1 0 6 one re 1 1 4 teara * 2 1 4 (*■«*•*-& ( a ? » 72 2 2 > . -r--*> • 7 

f «M& * A- 7*K»TfcL ( Ar v -f 1 4 0 > . set f U Jr- f 3 > 2 0 8 |*»K, 2 0 4 Kit b 

fid <> a-ittWlr-CiWlOBCDyjU-^ID*: TTspawn ( ) MtA • a-AtWO'ClfU^P 
a.— 14KjtfiS-?i^L<-7l DUtttL <Ar 20 *a«t""ft* , 4 (A7? 7*2 2 4) . imva Of 

?7* 1 42) . tetuidO a-jl^tSU/c+JS! A?- A ■ a-Aii;"?*'-** 1^****81+2 1 8 

0 6 ©a. -in D*i--!T««CJH*sr*i— !TI DCCgS j£#*SUSERNAME£UT-i---!f«2 ! 

(at^H4). 4*«r. XlZF-*'*" 77"'Ji— f s>208ltA 

[o 020 ] AjScoj^KurifL-^i— ^oftuoiciE 7- - jirTSfctcffatA.** 

(.,<,» POS ! X«^>U9'f9eHbMRedtl&&. f- i(W;7S36). 

'T-zy *■-!/» >1 1 4lt*SsESnfcJ-— V- $ [0 02 5] spawn < > MfA • a-A < A-jr ? 

AJ-*srHFl 1 S-Sr-'O^-^iL/C^^texe c 72 24} CJ:oT, *-*A«2 0 4l*W>*-*JU* 

() i'A^A« n-AtUT (A***! 46) . pawnA--*o2 2 6#l*n*«ff'r6. spawn 

MfSKJ: ,r*-* Ae x ec.W>! 4 8i*7 Ku A-?>2 2 6i**iJJai**f*f4i*T*rL.t,^-^ • 
a£ M 1 0 6 tWllia*U» O, 5£ls:«*S* L . iEb 30 * A fci*7 K U x?£N2 0 6 tfMWft < Ar 5 

l.^a*A t-ttrmttStl; ( s 7228). 

7150) , 'f®»r*U*r»i-U'- >Air -7"ny7 [0 02 6] 5 pawnA-f>2 2 6t^CC. 

Al 54tC«jMiS^ (^5-;7!5£), A«2 0 4rtO**» 'J * ■ /->^-A2 3 2 ICR 

[ 0 0 2 1 ] 0 p e n E d i t ion ttMMttte<9 I ft l/XiBIKt P 0 S i XRU««tt« h*? h 

BM OS/3 90*^U— >^ * i'A?A4t© 7230). SK, jEOC>**a 'J J" f 3*f»I*fSWL/ 

**<©POS I XiWli'Af-ATIt. a-IJ'-T'o-bA "C. f«ft)fe9 1 -*'4-'<2 3 2rt© (WttMUSE 

rt©a-1? - 7-/f >r <f-^*iS;Siri -fe+^ RNAMEKllBEStl-Ct'i) i-1f«2 1 4K*tl5"7 

'J^ < • r-3f^-Atc*fLr^*>n*a*©a-A(C W*inteyA-7*i Dta— !T i DK«l/<!fBt3nfc 

HBT*-fcfeft^7*--»>a±flW«|3»i*&. C tf Ut»7 K l-A^BB2 0 6©a,— I Dt ^A-T*! D 
©a*fl>*ft-C«. f-t^BPOS I X<Ps pawn 40 «r«ffi<./r, WUt^T H UA3IH2 0 6 **#WJ«»* 

*>.T-7U A-Cflffr* [0 02 7] JBfStc, *-*A»piwnA-f>2 2 
J: 7 <c i,tottttiKr 6 tit. f?*2 1 2 "Cffi*S ftfc (■?-*> • 77*'J ir- 

[0 02 2] B2lt, *S^&*fi*^iiA-ftia>t'*-* f 9 >2 0 81C iiT^y-J t LX&StltO 3.- 

■ ^zt.l2 o o (mmmu^tt) ©fl*sriar'* *a>2 i &fctfi6T47o y^i^^-^s 

0. Wtsn&a— If i D©fc«>CCg*Snfcf a?* 8*7 06Ko- KU t©7'G?7i ■ 

*tfT4lf»-1IV7 h 9«7JincDH{bWini2ltX'l' -t>tt*IWt*l/ra— f • *A*4*?tT4 (X 

cn&OHKIi. 7Piz AJS5fci*7 F f v 7*2 3 4 > . 

UA£8B202£, ^U-f^^-i'AfA (O [0 02 8] it«i-1Wi:J:4WitiiW4ft:»«:. *f 
S) *fcl*fc-*A«fcttTr-^;<-arfl2 04 i, 50 L(,>04QfcfkU S E R N AMEt±fi*F«I3nfea-if©^ 
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icmm i>m&*> 4. c mmm? i<oic mtt 

«Wti. s e t u . d O Mk£H*-C&tt*Uf&&& 

i'. • t*u *■-?/» >4*ii*<eo-c*4J: 

> > . 77 U s > £ 0 8 ifiimmOT 
**xHt&far>*-H-3.-y <*— 5M D = 0) to 
TWfW 4*i£ . r - * > * T 7 ij *r - «/ 3 ^ 2 0 8 i* 

± tea «. 

[ 0 0 2 9] ±m> J: ^<£ *JHJ(£. r— * > • 70 

7 7* 'J Ir-i'* >OtO*»ti-f • i? ♦ ^D-b 10 
X^-p*ftf4!J!!»ftUK. *— - rfc-tiA 

©fceo©* * * 'j ^ -f tftow -s #?ift*g$T4. 

*#»«. S£SE©f o r k ( ) Htt£ e x e 
c ( ) Mk* spawn ( ) ■«TB«aiiL«C -L^T 
* 4* ^ K U -ttltCJ: o-C s p a w .1 { } WW**** 

flvc«i&s«3i^7 * -*>A«{t**»r4. 
[ o o 3 o ] i»fe* & &ii * <nnaito*4r** 5. 

a . jutntca p o s i x was'*? aoam-cim l 
[ o o 3 i ] * £*>£ o-c tMelwaicn bx&rp 

«*»SftlESr4„ 

[0032] < i > vor -trsTi*** 

^h*el>, • t/x^A*i*-« I--*-* >y • *-* 

lIBEStlfca— - $X?4>*3Tft#l&4 

**■»■-'< ■ fX^i»K4^»r, IBa- •TOfcttCMl 
'J 5- < *SI*KSffll,T|liaa-1» , K:K*)'5T 

we * * * **t?r 4#arc* -7 r . 30 

(a > • ?dt«i, WEa-?*&0Weit 

***ww*t. [ 1 ] mKm*-cW£*nttmKT<( 
t ■> ^ f * {c fae r WM»*a*r 4 * r •> ?*i , 

[ 2 ] W&fSU-r -f >«r ■ VAfA - ft-**ICtt 

t/C i'Xfi . 3--A*IUL"CWEfB*«*ifc:i-ir • 

* a ? *•? » 7 k u Asnri "c*if r & Af^i, 

( b > WE+'SU-f -f > y • fAf-A • ft-**9»ff 

e?-*> • ^P-bx^piavA^A - a-jutsw 
®4 1 , [ 1 ] WEftrCS ttfc * -if • # a i> c&a&cc 
«Li»TKU^aB*fWtT4A^»^ , t 1 [2]Wia 40 

tc-te + ^ y -? < at^*^s£T4 , [ 3 ] we 
*u>tk uaaiw-cwBifi** wt*— * • * a * 

( 2 ) ma**tu-: r < y V ■ i'XfA ■ p 

os 1 xaMi^U'— r <'s9 ■ - *-*a-c 

*4C£ftfci*<!;"r4 1 ±12 ( ! ) t£E*{©#£. 
<3 > WEVAf-A - 3-**5Plwj {) J.'*7A 

• 3-A"C*4Ct*WI4f 4. ±12 { 1 ) i£te$SO 

50 
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<4 > we*-- sw*-if«ftwi'. wet* * 
*<*TO*---»'**Wfrc±*i«4"r&. ±12 

{ 1 ) KESs©***. 

{ 5 > wewi«***wib*-!» , « t *o < wean* 

C4*4ff&tT4, ±13 (4) (Cia$©7f£. 
(6 > mia3rU»7 KU^^BiWa^-f^i^tl 

a 'J 9" ^ WM: fMW f?^(b) [ 2 ] **. 

WElSOl'i— !f • 7 H U^^BWa-U" ID*. WE 
WWUmj^-CJKSWta-ir*©*— !?I Di^ 
1/ < WtT 4C t'&^ilttT*. ±K ( 5 > Cdg55l©* 
& 

( 7 ) WE*— ffSOA— tf* ID*. MaDfi-f 
- * -s- ^ CC 7 ^ * Xt h C t K J: o -CW f 4 C 1 1 

±S2 (6) Ki2tt©*f£. 
{ 8 ) WEif t/i»T K uaSB tWEa-lf4St*i*n 
AKM*^ W f^nfc - 7 I D *W O . WE-b 
* * L» r ^ «* 4 WEXtT ? ^ ( b ) [ 2 ] 
3f»s. mm W, » 7 K L* AS R9© y A - 7* ! D ft . WES 
MEWC ct -jT *B* ^ *lfca-ir«0 JTA -7 I DtW 
b<Wtf 4Cift^tt<!;-r4, ±K (5 > KK*Z>* 

{9) W*#a— !«E>7 -f^>r-/ I/. 1/"- 

.»<• >XfA*t^U- *< >9 ■ *-*Aft*T4. 

isssnfc*— «^ft#«>4W£^ — 

^CWElWltJP-^V • ^P-fexaiHM^WElf- 

^A^.i.(cid^r, we* - wftjMwataa * * 
fftW^Tf 4«wr-*^-c. 

(a ) wia?'-*> • 7P-fe^(cBB«i^w^n. we* 

-If ]»> & C9WE 9*«>ftW 0 tciES l/ C, [ ! ] WEW 

Mc m s wet -ff>f^iK*-j r asJas:** 

ftSBEO, [2] IlS^u-t^y- ^ 
-.tJKCWUCi'Afi • 3-JUftitiL-T*rt./<,>7 KU 
^Wrt-CWElfttSft&a-ir • **>ft|?tTf4^ 
Si. 

( b ) WE*^U-T -f > y ■ S'A^-A • ^-.t->MCB8 

A . 3 - JU<9S« ♦) iciss o r , [ n W£tt£ 3 nfc 
ji— r • 4»A?©fc»K:(sui'7Ku^aiitffau 

[ 2 ] WEW*»K*r>-CWEiB*S*lfc*-tf' • * 
X ^ ©fei&CC-fe * » U T i E»Sft B£ U , [ 3 ] WESr 
0*,»7 K U^Wrtt s WEfttS*lfcs-U« - > A ? ft 

Barer 4^stt*£fKg. 

pos i xaBM^L— • 

1?*4Ciftt*iSlif 4. ±E (9) KESSW^g. 
{1 1 ) m^'XTJU - 3-.'^5pavn O W 
A - a-.'U-C*4C4ft«»<f$"4. ±E (9) KE« 
QWB. 
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{ 1 2> |ffia-f#a- !f**WU. Bil37-f 5-">r 

* *■ < tm&* C £ if 4. ±13 
( 9 > ccBttOffiB. 

(13) iiGaiuib»tiie^-if , «&«u<Besn 

■£>C£«-4$&£T£, ±K ( 1 2 ) KBttOttV. 

(14} matiU'r Kb^SHisiSi— 

tt*h*ftlCHii*W&ftfc:i— 0" I D«:Wl<. §513* 

* * 'J r * WltffiflW 4HE#B < b ) [ 2 ) #. » 

eh u « t k u aan©» i d * . w£sw«ft u 

i^^StfCi^Htfr*. JJZ ( ! 3 ) KEttO 
ttE. 

(15) WEa-ir«<!>a— p I Dt. 

{16} WE7 K^xaiitllEi-^t^ftfft 

y * < ggtftft-rftgmx? * f * u ) [ 2 ] *j, v 
Of b i < 7 k u a£ho y*- 7 i d * , Hirsasstaxist 
u: J: ^ -c«*3 ttfc j. -if «© if A - * i D ecu l < ft 
lET-SC £*#«£? 4. JfcE { 1 3 ) CCBttCftB. 

(17) «wa-ir©7 f >^ i ?v **£U * 
• «/.*.?■ A***"* I*-*-* i'A^A* 

A*tf4, ft*S*lfca-ir ■ *^?©*!it*»4 

T4IIE*-. , < • S'A?J*ltW.>X. BIEi-ir«>fc>& 
flMNflft * + * 'J 7 * WW (./C mai -If K m> 
•j C 2 a J 47fi£ * 7 s If * J: -7 X 

*Tf5Iftft7n A**]|»u3Ulrr41M*ffi:?a y 

EjMt**MK4£, [ i ] wia«*Kis«;*ftft:siaa 

T-f < f < tt«-7-ClWB»*R*T4* * 9 7 
i. [2] WB*«l'-9'i>ir ■ i'^AfcttOTS' 

x?-a a -jt,«wri,-ciiEJS*s * 

{ b > wia*^b-r * > f ■ fAfi • ft-***, 
WE^-*> • ^fl-b AGUES'* *A - a-*** 
WB4 £ . [ 1 ] WEiSlESftfc tf 1 • * A ?©fcto 
KUSU'7KuaaB*ffflW4Af-»7-t. [2] It 

^•h+ayrffftttfMtt&A??:^. [3]W 

saigas nfc^.-iJ' ■ * a U'7Kua3yn 
rttlPWi* *■ s 7i tfttr, 70 AEttltK. 

(18) WE*"* I — r < > tf ■ - 

pos t xoum-^u- r<>9- far j* - a-** 
ttbtcttm***. ±s ( 1 7 > tciattc^D y 
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{ 1 9) REfXTA - 3-.W$pavn {) 
A • 3-jUT*4Ci«*ji£T4. ±E { ! 7 > CCE 

(20) 1513^ -1W a — !M D ** U 89137 ^ r > 
^i^aWEa-in D*StfCit«J«4r4, ± 
B ( 1 7 > Ki2«fl)7-d J^AEtttSB. 

{2D BirEasiiitossfinsji-i? i Dt*t/<Bti 
n^ci*«ii<L-?4, ±ia {20) imnvi'v?? 
io Aialsiss. 

{2£> nEiiU'TKi/aa»iitiiEi-yatJS»t 

* 'J r / wmzfttiff 46?S^r >7* (b) [ 2 ] 

IIEifbl»7KUA4niOi--!nD«r. BtlflSSiS 
KSttCJr-j-Cfg^Snfca-^lDa-t?! D4W0< 
aftfE-r4Ar ^«:^tfC<L«:^«ki-r4, ±Sd(2 

1 > (ci3$s©^py7Aia-ls:iiiS D 

{2 3) s5g-aa-^©Hti2^— ^1 D«r, -li*:r.'Jr 
^ . y-*^-xcc7i'"b^f 4CiKJ:-?"CSIftff4 
20 Ctimtti. ±E ( 2 2 ) KE*W>70ir 7 i.E 

<24) «5ia^ u * 7 k u am t ms* £#-e 
n*h*n«c«»^W6ftfe^-7*i Dtwo. we 
** * u ^ -f B4i«(%qrr 4srsaAf> ? v ( d ) [ 2 ] 

L,<Rtf4^? > ?7-ftat>£:i*ttili"S'4. ±£ 
(2 1) C£E*WEJ7d ^ ? AiatS3sg. 

30 [01] g** x * ©fc*W-fe + * 'J r < Eg«S£ 
«Wt 4ffi*C**fc5i«* 3 > f » - * ■ f 

X5 f -A«rSr|S , C*)4. 

[B 2 ] Ji--!f'S** X ?05feit>W-fe t^'Jf ( iS^«: 
rA£5i-3"E]-C*4. 

2 0 0 a>f*-* ■ 

20 2 r-*> - 7"P-fe*Ji 
2 04 

40 2 06 • • 

2 0 8 • T7 'J ir-*^ a > 

2 1 0 *- h 

2 1 4 i-tf'S 

22 6 ^-.UspawsiA-^ 

232 -tr** • 

238 JL-^'-^Aj? 
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